I hung around with hackers for a week, and now I'm completely paranoid

REUTERS
I was somewhere around the Paris Hotel on the edge of the Las Vegas Strip when the paranoia began to take hold.

I glanced down at my phone. Sitting in a talk by Lavabit CEO Ladar Levison, I noticed my Wi-Fi was left turned on, though it wasn't connected to a network.

Was someone sniffing my phone's data? Could I have been hacked?

I quickly turned it off and put it back in my pocket.

This is what it's like to attend Def Con, the world's largest hacker conference and home to what's billed as the most "profoundly hostile" wireless network anywhere. Before that, I was at Black Hat USA, the information security conference during the same week.

Chances are, my small error didn't inspire any mischief among the "black hat" hackers who blend in among government agents and the "white hat" types who protect companies from attacks. But it was a moment of realization that would come up repeatedly over the week: The possibility of getting hacked — "owned," as they say in the hacker world — is not something that should be feared by the vast majority of people, but for journalists, activists, and even hackers themselves, a little paranoia can be a good thing.

This realization is particularly evident when a giant screen projected inside a room on the Bally's 26th floor is showing off the "Wall of Sheep" — the unlucky souls who were letting data packets with usernames, passwords, and other information fly out in the clear, with Def Con's "packet hunters" picking them up.

The idea of staying on guard was made clear while attending a talk earlier in the week at Black Hat USA, in which Claudio Guarnieri and Collin Anderson debuted three years of research on what is believed to be multiple groups of government-linked Iranian hackers targeting external human-rights groups and dissidents within the country.

The methods the hackers used were crude, but effective: Simple emails enticing victims to click a link to a website the attacker loaded with malicious code, or with attachments that download malware.

At Def Con, there were speakers focused on hacking cars or exploiting software specifically designed to thwart hackers such as Little Snitch. Two security researchers even debuted ransomware on a smart thermostat.

All in all, the week of hacking conferences I attended made me greater appreciate the work that security researchers do in pointing out vulnerabilities, as well as their attempts at patching them.

But it also reinforced the importance of the user to proactively keep themselves safe online. If I learned anything during a week of talking with and hanging around hackers, it's that it's easier than ever for even inexperienced hackers with high-tech tools to target someone.

The Wickr Foundation's "tips for surviving Def Con" say to completely turn off Wi-Fi and Bluetooth, cover cameras with tape, never use ATMs, and never connect phone chargers except for your own — even at the airport. While this may be totally paranoid advice for a week where 20,000 hackers are in town, it can be overkill for the average journalist or activist.

Still, the basics are so simple to implement that it's incredibly surprising to see so many people leave themselves wide open to attack. Though they won't make a person "unhackable" — that's not possible — taking basic precautions will make for a hard target, which can immediately deter an attacker and cause them to move on to someone else.

For example, a hacker can execute a "man-in-the-middle" attack on a coffee shop's Wi-Fi network and intercept everything, but if you used a free VPN service, they'd see nothing but encrypted traffic. And while a brute force attack or social engineering a target can glean a super-simple password, it would be much harder if a victim were using a password manager like 1Password or LastPass to generate 30-plus-character passwords that are safely stored.